my digital notebook

Main menu

Tag Archives: personality traits

Diebold makes electronic voting systems. In fact they make a lot of electronic voting systems! They advertise “Over 130,000 Diebold electronic voting stations are being used in locations across the United States to assist voters in exercising their most fundamental constitutional right: the right to vote.” With the 2000 and 2004 elections being shrouded in suspicion of voter fraud, you would think that Diebold would make every effort to ensure the security of their product. They have not.

The guys at Princeton have put together a video that shows just how insecure these systems really are. Aside from the multiple logical attacks that work against them, the ways to defeat the physical security are countless. They seem to use a “wafer-tumbler” type lock that can be easily picked in under 5 seconds. Don’t know how to pick locks? No problem. Just unscrew the bottom and you have access!

As if all this was not disturbing enough, Diebold had put a picture of the master key to these systems up on their online store and Ross Kinard of SploitCast used it to create a working key of his own. While this may seem difficult, it is not. Using the image, one can determine which key blank to use fairly easily. This is because there are really not that many key blanks in use; especially for “wafer-tumbler” type locks. Once the key blank is determined, all that is left is to figure out how deep make the cuts. This can be quickly determined by referencing the photo that was so kindly provided by Diebold on their online store. Granted, there are a few more details to be aware of, but anyone who has invested much time in learning how to defeat locks should have little trouble in figuring them out.

Ross writes:

I bought three blank keys from Ace. Then a drill vise and three cabinet locks that used a different type of key from Lowes. I hoped that the spacing and depths on the cabinet locksâ€™ keys would be similar to those on the voting machine key. With some files I had I then made three keys to look like the key in the picture.

He then sent the keys to J. Alex Halderman at Freedom To Tinker.com who quickly confirmed that two of the three keys would, indeed, open the door to the memory card on the Diebold system. This video shows the key Ross made opening the voting machine used in the Princeton study:

Didbold has finally removed the picture of the key from their website, but it would seem that it’s too little too late. The picture is out there along with more than 130,000 voting machines on which a key made from it will work. It looks like this is one company that has some explaining to do!

The flatland model of locks can explain effects that involvs more than one pin, but a different model is needed to explain the detailed behavior of a single pin. See Figure 5.1. The pin-column model highlights the relationship between the torque applied and the amount of force needed to lift each pin. It is essential that you understand this relationship.

In order to understand the “feel” of lock picking you need to know how the movement of a pin is effect by the torque applied by your torque wrench (tensioner) and the pressure applied by your pick. A good way to represent this understanding is a graph that shows the minimum pressure needed to move a pin as a function of how far the pin has been displaced from its initial position. The remainder of this chapter will derive that force graph from the pin-column model.

Figure 5.2 shows a single pin position after torque has been applied to the plug. The forces acting of the driver pin are the friction from the sides, the spring contact force from above, and the con tact force from the key pin below. The amount of pressure you apply to the pick determines the contact force from below.

The spring force increases as the pins are pushed in to the hull, but the increase is slight, so we will assume that the spring force is constant over the range of displacements we are interested in. The pins will not move unless you apply enough pressure to overcome the spring force. The binding frictionee is proportional to how hard the driver pin is being scissored between the plug and the hull, which in this case is proportional to the torque. The more torque you apply to the plug, the harder it will be to move the pins. To make a pin move, you need to apply a pressure that is greater than the sum of the spring and friction forces.

When the bottom of the driver pin reaches the sheer line, the situation suddenly changes. See Figure 5.3. The friction binding force drops to zero and the plug rotates slightly (until some other pin binds). Now the only resistance to motion is the spring force. After the top of the key pin crosses the gap between the plug and the hull, new contact force arises from the key pin striking the hull. This force can be quite large, and it causes a peak in the amount of pressure needed to move a pin.

If the pins are pushed further into the hull, the key pin acquires a binding fiction like the driver pin had in the initial situation. See Figure 5.4. Thus, the amount of pressure needed to move the pins before and after the sheer line is about the same. Increasing the torque increases the required pressure. At the sheerline, the pressure increases dramatically due to the key pin hitting the hull. This analysis is summarized graphically in figure 5.5.

In order to become good at picking locks, you will need a detailed understanding of how locks works and what happens as it is picked. This document uses two models to help you understand the behavior of locks. This chapter presents a model that highlights interactions between pin positions. Chapter 4 uses this model to explain how picking works. Chapter 9 will use this model to explain complicated mechanical defects.

The “flatland” model of a lock is shown in Figure 3.1. This is not a cross section of a real lock. It is a cross section of a very simple kind of lock. The purpose of this lock is to keep two plates of metal from sliding over each other unless the proper key is present. The lock is constructed by placing the two plates over each other and drilling holes which pass through both plates. The figure shows a two hole lock. Two pins are placed in each hole such that the gap between the pins does not line up with the gap between the plates. The bottom pin is called the key pin because it touches the key. The top pin is called the driver pin. Often the driver and key pins are just called the driver and the pin. A protrusion on the underside of the bottom plate keeps the pins from falling out, and a spring above the top plate pushes down on the driver pin.

If the key is absent, the plates cannot slide over each other because the driver pins pass through both plates. The correct key lifts the pin pairs to align the gap between the pins with the gap between the plates. See Figure 3.3. That is, the key lifts the key pin until its top reaches the lock’s sheer line. In this configuration, the plates can slide past each other.

Figure 3.3 also illustrates one of the important features of real locks. There is always a sliding allowance. That is, any parts which slide past each other must be separated by a gap. The gap between the top and bottom plates allows a range of keys to open the lock. Notice that the right key pin in Figure 3.3 is not raised as high as the left pin, yet the lock will still open.

This chapter presents the basic workings of pin tumbler locks, and the vocabulary used in the rest of this booklet. The terms used to describe locks and lock parts vary from manufacture to manufacture and from city to city, so even if you already understand the basic workings of locks, you should look at figure 2.1 for the vocabulary.

Knowing how a lock works when it is opened by a key is only part of what you need to know. You also need to know how a lock responds to picking. Chapters 3 and 5 present models which will help you understand a lock’s response to picking.

Figure 2.1 introduces the vocabulary of real locks. The key is inserted into the keyway of the plug. The protrusions on the side of the keyway are called wards. Wards restrict the set of keys that can be inserted into the plug. The plug is a cylinder which can rotate when the proper key is fully inserted. The non-rotating part of the lock is called the hull. The first pin touched by the key is called pin one. The remaining pins are numbered increasingly toward the rear of the lock.

The proper key lifts each pin pair until the gap between the key pin and the driver pin reaches the sheer line. When all the pins are in this position, the plug can rotate and the lock can be opened. An incorrect key will leave some of the pins protruding between the hull and the plug, and these pins will prevent the plug from rotating.

The big secret of lock picking is that it’s easy. Anyone can learn how to pick locks.

The theory of lock picking is the theory of exploiting mechanical defects. There are a few basic concepts and definitions but the bulk of the material consists of tricks for opening locks with particular defects or characteristics. The organization of this manual reflects this structure. The first few chapters presents the vocabulary and basic information about locks and lock picking. There is no way to learn lock picking without practicing, so one chapter presents a set of carefully chosen exercises that will help you learn the skills of lock picking. The document ends with a catalog of the mechanical traits and defects found in locks and the techniques used to recognize and exploit them. The first appendix describes how to make lock picking tools. The other appendix presents some of the legal issues of lock picking.

The exercises are important. The only way to learn how to recognize and exploit the defects in a lock is to practice. This means practicing many times on the same lock as well as practicing on many different locks. Anyone can learn how to open desk and filing cabinet locks, but the ability to open most locks in under thirty seconds is a skill that requires practice.

Before getting into the details of locks and picking, it is worth pointing out that lock picking is just one way to bypass a lock, though it does cause less damage than brute force techniques. In fact, it may be easier to bypass the bolt mechanism than to bypass the lock. It may also easier to bypass some other part of the door or even avoid the door entirely. Rememer: There is always another way, usually a better one.

Executive Summary:

The MIT Hacking community is saddened by the series of recent events which have made the “MIT Guide To Lockpicking” available electronically in a indiscriminate fashion. We would like to state, once again, that we believe such distribution is inappropriate. Since we clearly have no control over the guide’s dissemination, we would, at the least, like those distributing the guide to do the following:

Add an integral section on [Hacking] Ethics

Disassociate the MIT name from the distributed guide

Rationale:

We believe that the guide should be freely available to hackers who have a sense of ethics. Individuals have always been encouraged to only pass the information on to others who will use the information responsibly. Dissemination of the “MIT Guide” to the anonymous usenet and internet masses is irresponsible, at best. While most members of the internet community may use this information in ethical ways, some may not. Even if only a few people (a trivial percentage of the potential electronic readership) use the information in an unethical fashion, the damage can be considerable.

Many have, correctly, noted that there is no “magic” information contained in the “MIT Guide”. All the basic information is available from other texts. The MIT Guide distills the information relevant to lock picking and presents it clearly and succinctly. Electronic dissemination of this ~40 page text lowers the effort (and hence commitment) an individual must expend to gain a working knowledge of lockpicking. Widespread electronic availability of the document encourages everyone, regardless of their personal mores, to gain the skill.

The guide was originally written to pass on non-destructive methods of entry to members of the MIT Hacking community. At MIT “Roof and Tunnel Hacking” is a pastime where students explore the Institute where they live and work. For reasons of safety, liability, and privacy, the MIT administration isolates certain portions of the Institute from general traffic using various methods, including locks. Mastery over locks is, hence, a valuable asset to the dedicated roof and tunnel hacker.

Roof and tunnel hacking at MIT is concerned primarily with non-intrusive exploration. The goal is to discover and learn, not to steal, destroy, or invade anyone’s privacy. Unfortunately, the skills which one needs in hacking can be perverted to nefarious ends. Established MIT Hackers always make an effort to convey a proper sense of ethics to new hackers and to be discerning about the techniques they teach to new hackers. The “MIT Guide” has always been given to new hackers only after they demonstrated themselves to be responsible.

The “MIT Guide” was never intended to be distributed separate from the oral tradition and indoctrination associated with the MIT Hacking community. In hindsight, we can acknowledge, that it was a grievous oversight on the part of the author(s) of the “MIT Guide” that the document was written without attempting to integrate some of the ethics and context of MIT Hacking into the document itself. We agree that no amount of words will convey the same sense of hacking ethics as one acquires being a part of the MIT Hacking community. Nonetheless, we feel the distributed guide, stripped of its context–the MIT Hacking community, is very irresponsible and sadly lacking. We believe the very least that can be done is to attempt to include in this artifact some of the ethics which are part of the oral hacking education at MIT.

The MIT Hacking community does not support the guide’s distribution in electronic form for the reasons mentioned above. Further, it is quite clear from the actions taken by Ted T. Tool and others that the MIT Hacking community has no control over the guide’s dissemination. Consequently, we feel it is inappropriate for the guide to be labelled as an “MIT Guide”. At this point, the guide is neither being distributed by MIT nor with the blessing of the MIT Hacking community. We would like to ask Ted T. Tool [who left the MIT Hacking community several years ago] and anyone else distributing copies or derivatives of the original work, to disassociate the guide from MIT if they insist on continuing anonymous distribution. Such actions are counter to MIT Hacking ethics, and the MIT community would prefer not to imply that it condones such actions.

Words will not do justice to the MIT Hacking Ethics. Nonetheless, following is a brief list containing a few of the major principles to which the MIT Roof and Tunnel Hacking community adheres during its exploratory
expeditions:

Be SUBTLE — leave no evidence that you were ever there. (This is a general rule which applies to lots of circumstances — a few are enumerated explicitly in this list, but many principles follow from this simple edict)

Leave things as you found them (or better).

If you find something broken call F-IXIT (a local number for reporting problems with the buildings and grounds — Hackers often go places the normal institute workers do not frequent regularly and hence may see problems before the workers do).

Leave no damage.

Do not steal anything.

Brute force is the last resort of the incompetent.

Do not hack while under the influence of alcohol/drugs/etc.

Do not drop things (off a building w/out a ground crew).

Do not hack alone (just like swimming).

Exercise COMMON SENSE. (This is another general rule with very wide applicability — when exploring, you are often in places which were not intended for normal traffic. The people who built the area may not have assumed anyone would be there without special knowledge of the area Many of the assumptions you are used to making are not valid or applicable while hacking. It is very important that you stay alert and think clearly.)

Please, consider your actions carefully. If you feel you must continue to distribute the guide, we strongly advocate the addition of an integral section on ethics. As long as the MIT community has no controlover the contents or distribution of the guide, it is inappropriate to call it the MIT guide. Consequently, we ask that the name of the distributed guide be changed.

Distribution

Copyright 1987, 1991 Theodore T. Tool. All rights reserved.

Permission to reproduce this document on a non-profit basis is granted provided that this copyright and distribution notice is included in full. The information in this booklet is provided for educational purposes only.